The Hacker News — Cyber Security, Hacking, Technology News

Since the Shadow Brokers released the zero-day software vulnerabilities and hacking tools – allegedly belonged to the NSA's elite hacking team Equation Group – several hacking groups and individual hackers have started using them in their own way.

The April's data dump was believed to be the most damaging release by the Shadow Brokers till the date, as it publicly leaked lots of Windows hacking tools, including dangerous Windows SMB exploit.

After the outbreak of WannaCry last week, security researchers have identified multiple different campaigns exploiting Windows SMB vulnerability (CVE-2017-0143), called Eternalblue, which has already compromised hundreds of thousands of computers worldwide.

I have been even confirmed by multiple sources in hacking and intelligence community that there are lots of groups and individuals who are actively exploiting Eternalblue for different motives.

Moreover, the Eternalblue SMB exploit (MS17-010) has now been ported to Metasploit, a penetration testing framework that enables researchers as well as hackers to exploit this vulnerability easily.

So, it would not be surprised to find more hacking groups, state-sponsored attackers, financially motivated organized criminal gangs and gray hat hackers exploiting Eternalblue to target large organizations and individuals.

The two newly discovered hacking campaigns, one traced back to Russia and another to China, are much more advanced than WannaCry, as sophisticated hackers are leveraging Eternalblue to install backdoors, Botnet malware and exfiltrate user credentials.

According to Secdo, these attacks might pose a much bigger risk than WannaCry, because even if companies block WannaCry and patch the SMB Windows flaw, "a backdoor may persist and compromised credentials may be used to regain access" to the affected systems.

Both campaigns are using a similar attack flow, wherein attackers initially infect the target machine with malware via different attack vectors, then uses Eternalblue to infect other devices in the same network and finally inject a stealthy thread inside legitimate applications, which is then used to achieve persistence by either deploying a backdoor or exfiltrating login credentials.

Russian Campaign: Credential-Theft Attacks

Secdo discovered that attackers are injecting a malicious thread into the 'lsass.exe' process using Eternalblue.

The stolen credentials are then sent to the attacker's command-and-control server via the encrypted Tor network in order to hide the real location of the C&C server.

Once sent, a ransomware variant of CRY128, which is a member of the infamous Crypton ransomware family, starts running in the memory and encrypts all the documents on the affected system.

According to Secdo, "at least 5 of the most popular Next Gen AV vendors and Anti-Malware vendors were running on the endpoints and were unable to detect and stop this attack. This is most likely due to the thread only nature of the attack."

This attack has been traced back to late April, that's three weeks prior to the WannaCry outbreak. The attack originates from Russia-based IP address (77.72.84.11), but that doesn't mean the hackers are Russian.

Chinese Campaign: Installs Rootkit and DDoS Botnet

This campaign was also seen in late April.

Using Eternalblue, a malicious thread is spawned inside of the lsass.exe process, similar to the above-mentioned credential theft attack.

But only instead of remaining purely in-memory, the initial payload then connects back to a Chinese command-and-control server on port 998 (117.21.191.69) and downloads a known rootkit backdoor, which is based on ‘Agony rootkit’ to make persistent.

Once installed, the payload installs a Chinese Botnet malware, equipped with DDoS attack functionality, on the affected machine.

"These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch," Secdo concluded.

"We highly recommend using a solution that has the ability to record events at the thread level in order to hunt, mitigate and assess potential damage as soon as possible."

These malicious campaigns went unnoticed for weeks because unlike WannaCry, the purpose of these attacks was different, holding affected systems for a long time by achieving persistent and stealing credentials to regain access.

The recent example is of "Adylkuzz," a recently-discovered stealthy cryptocurrency-mining malware that was also using Windows SMB vulnerability at least two weeks before the outbreak of WannaCry ransomware attacks.

These attacks are just the beginning, as attacks like WannaCry have not been completely stopped and given the broad impact of the NSA exploits, hackers and cyber criminals are curiously waiting for the next Shadow Brokers release, which promised to leak more zero-days and exploits from next month.

Since the attackers are currently waiting for new zero-days to exploit, there is very little users can do to protect themselves from the upcoming cyber attacks.

You can follow some basic security tips that I have mentioned in my previous article about how to disable SMB and prevent your devices from getting hacked.

If your PC has been infected by WannaCry – the ransomware that wreaked havoc across the world last Friday – you might be lucky to get your locked files back without paying the ransom of $300 to the cyber criminals.

Adrien Guinet, a French security researcher from Quarkslab, has discovered a way to retrieve the secret encryption keys used by the WannaCry ransomware for free, which works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 operating systems.

WannaCry Ransomware Decryption Keys

The WannaCry's encryption scheme works by generating a pair of keys on the victim's computer that rely on prime numbers, a "public" key and a "private" key for encrypting and decrypting the system’s files respectively.

To prevent the victim from accessing the private key and decrypting locked files himself, WannaCry erases the key from the system, leaving no choice for the victims to retrieve the decryption key except paying the ransom to the attacker.

But here's the kicker: WannaCry "does not erase the prime numbers from memory before freeing the associated memory," says Guinet.

Based on this finding, Guinet released a WannaCry ransomware decryption tool, named WannaKey, that basically tries to retrieve the two prime numbers, used in the formula to generate encryption keys from memory, and works on Windows XP only.Note: Below I have also mentioned another tool, dubbed WanaKiwi, that works for Windows XP to Windows 7.

"It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory." says Guinet

So, that means, this method will work only if:

The affected computer has not been rebooted after being infected.

The associated memory has not been allocated and erased by some other process.

"In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!," Guinet says.

"This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API."

While WannaKey only pulls prime numbers from the memory of the affected computer, the tool can only be used by those who can use those prime numbers to generate the decryption key manually to decrypt their WannaCry-infected PC’s files.

WanaKiwi: WannaCry Ransomware Decryption Tool

Good news is that another security researcher, Benjamin Delpy, developed an easy-to-use tool called "WanaKiwi," based on Guinet's finding, which simplifies the whole process of the WannaCry-infected file decryption.

All victims have to do is download WanaKiwi tool from Github and run it on their affected Windows computer using the command line (cmd).

WanaKiwi works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008, confirmed Matt Suiche from security firm Comae Technologies, who has also provided some demonstrations showing how to use WanaKiwi to decrypt your files.

Although the tool won't work for every user due to its dependencies, still it gives some hope to WannaCry's victims of getting their locked files back for free even from Windows XP, the aging, largely unsupported version of Microsoft's operating system.

Neel Mehta, a security researcher at Google, found evidence that suggests the WannaCry ransomware, that infected 300,000 machines in 150 countries over the weekend, is linked to a state-sponsored hacking group in North Korea, known for cyber attacks against South Korean organizations.

What's Happening? What is WannaCry?

This is the fifth day since the WannaCry ransomware attack surfaced, that leverages a critical Windows SMB exploit and still infecting machines across the world using newly released variants that don't have any "kill switch" ability.

In case, if you have landed on WannaCry story for the first time, and don’t know what’s going on, you are advised to also read this simple, summarized, but detailed explanation:

WannaCry: First Nation-State Powered Ransomware?

Neel discovered that the code found in the WannaCry malware—one that first surfaced in February—was identical to the code used in an early 2015 version of Cantopee, a malicious backdoor developed by Lazarus Group, believed to be a state-sponsored hacking group linked to the North Korean government.

Security researchers from Kaspersky Lab, Intezer, Symantec, and Comae Technologies immediately followed the tip from Neel and confirmed a strong link between WannaCry and other malware families, including Lazarus, Joanap, and Brambul, which suggests WannaCry was written or modified by the same author.

However, this finding is not yet sufficient to link the Lazarus Group to WannaCry, because it is possible that WannaCry authors may have purposely copied code from Lazarus' backdoor program in an attempt to mislead researchers and law enforcement as they investigate.

"We believe that there are sufficient connections to warrant further investigation. We will continue to share further details of our research as it unfolds," says Symantec, the security firm which has tracked the Lazarus over recent years.

Agreeing to the same, Matt Suiche from Comaeio said:

"The attribution to Lazarus Group would make sense regarding their narrative which in the past was dominated by infiltrating financial institutions in the goal of stealing money. If validated, this means the latest iteration of WannaCry would, in fact, be the first nation state powered ransomware."

Is the WannaCry Attack Over? *NO*

Absolutely Not; this is just the beginning.

Security researchers have discovered some new variants of this ransomware, which could not be stopped by the kill switch, so you are advised to make sure you have applied the patch for SMB vulnerability and disabled SMBv1 protocol to keep your Windows computers safe from WannaCry and other similar attacks.

The WannaCry attackers demand ransom fees between $300 to $600 to free the hijacked data. The three bitcoin wallets tied to #WannaCry ransomware have received 225 payments totaling 35.98003282 BTC (approx. $60,000) from ransomware victims.

By now I am sure you have already heard something about the WannaCry ransomware, and are wondering what's going on, who is doing this, and whether your computer is secure from this insanely fast-spreading threat that has already hacked nearly 200,000 Windows PCs over the weekend.

The only positive thing about this attack is that — you are here — as after reading this easy-to-understandable awareness article, you would be so cautious that you can save yourself from WannaCry, as well as other similar cyber attacks in the future.

In this article, we have provided some of the most important primary security tips that you should always follow and advised to share with everyone you care for.

What is Ransomware & Why WannaCry is More Dangerous?

(A simple video demonstrating of WannaCry Ransomware, showing how fast it spreads from system-to-system without any user Interaction)

For those unaware, Ransomware is a computer virus that usually spreads via spam emails and malicious download links; specially designed to lock up the files on a computer, until the victim pays the ransom demand, usually $300-$500 in Bitcoins.

But what makes WannaCry so unique and nasty is its ability to self-spread without even need to click any link or a file.

The WannaCry ransomware, also known as Wanna Decryptor, leverages a Windows SMB exploit, dubbed EternalBlue, that allows a remote hacker to hijack computers running on unpatched Microsoft Windows operating system.

Once infected, WannaCry also scans for other unpatched PCs connected to the same local network, as well as scans random hosts on the wider Internet, to spread itself quickly.

What Has Happened So Far

We have been covering this story since Friday when this malware was first emerged and hit several hospitals across the globe, eventually forcing them to shut down their entire IT systems over the weekend, hence rejecting patients appointments, and cancel operations.

Later this cyber attack brought down many organizations to their knees.

Instead of repeating same details again, read our previous articles dig deeper and know what has happened so far:

Day 2: The Patch Day— A security researcher successfully found a way to slow down the infection rate, and meanwhile, Microsoft releases emergency patch updates for unsupported versions of Windows.

Day 3: New Variants Arrives— Just yesterday, some new variants of WannaCry, with and without a kill-switch, were detected in the wild would be difficult to stop for at least next few weeks.

Isn’t the Cyber Attack Over?

Absolutely not.

This is just beginning. As I reported yesterday, security researchers have detected some new versions of this ransomware, dubbed WannaCry 2.0, which couldn’t be stopped by the kill switch.

What's even worse is that the new WannaCry variant believed to be created by someone else, and not the hackers behind the first WannaCry ransomware.

It has been speculated that now other organized cybercriminal gangs, as well as script-kiddies can get motivated by this incident to create and spread similar malicious ransomware.

How to Protect Yourself from WannaCry Ransomware?

Here are some simple tips you should always follow because most computer viruses make their ways into your systems due to lack of simple security practices:

1. Always Install Security Updates

If you are using any version of Windows, except Windows 10, with SMB protocol enabled, make sure your computer should always receive updates automatically from the Microsoft, and it’s up-to-date always.

2. Patch SMB Vulnerability

Since WannaCry has been exploiting a critical SMB remote code execution vulnerability (CVE-2017-0148) for which Microsoft has already released a patch (MS17-010) in the month of March, you are advised to ensure your system has installed those patches.

Moreover, Microsoft has been very generous to its users in this difficult time that the company has even released the SMB patches (download from here) for its unsupported versions of Windows as well, including Windows XP, Vista, 8, Server 2003 and 2008.

Note: If you are using Windows 10 Creators Update (1703), you are not vulnerable to SMB vulnerability.

3. Disable SMB

Even if you have installed the patches, you are advised to disable Server Message Block version 1 (SMBv1) protocol, which is enabled by default on Windows, to prevent against WannaCry ransomware attacks.

Here's the list of simple steps you can follow to disable SMBv1:

Go to Windows' Control Panel and open 'Programs.'

Open 'Features' under Programs and click 'Turn Windows Features on and off.'

4. Enable Firewall & Block SMB Ports

Always keep your firewall enabled, and if you need to keep SMBv1 enabled, then just modify your firewall configurations to block access to SMB ports over the Internet. The protocol operates on TCP ports 137, 139, and 445, and over UDP ports 137 and 138.

5. Use an Antivirus Program

An evergreen solution to prevent against most threats is to use a good antivirus software from a reputable vendor and always keep it up-to-date.

Almost all antivirus vendors have already added detection capability to block WannaCry, as well as to prevent the secret installations from malicious applications in the background.

6. Be Suspicious of Emails, Websites, and Apps

So, you should always exercise caution when opening uninvited documents sent over an email and clicking on links inside those documents unless verifying the source to safeguard against such ransomware infection.

Also, never download any app from third-party sources, and read reviews even before installing apps from official stores.

7. Regular Backup your Files:

To always have a tight grip on all your important documents and files, keep a good backup routine in place that makes their copies to an external storage device which is not always connected to your computer.

That way, if any ransomware infects you, it can not encrypt your backups.

8. Keep Your Knowledge Up-to-Date

There's not a single day that goes without any report on cyber attacks and vulnerabilities in popular software and services, such as Android, iOS, Windows, Linux and Mac Computers as well.

So, it’s high time for users of any domain to follow day-to-day happening of the cyber world, which would not only help them to keep their knowledge up-to-date, but also prevent against even sophisticated cyber attacks.

What to do if WannaCry infects you?

Well, nothing.

If WannaCry ransomware has infected you, you can’t decrypt your files until you pay a ransom money to the hackers and get a secret key to unlock your file.

Never Pay the Ransom:

It’s up to the affected organizations and individuals to decide whether or not to pay the ransom, depending upon the importance of their files locked by the ransomware.

But before making any final decision, just keep in mind: there's no guarantee that even after paying the ransom, you would regain control of your files.

Moreover, paying ransom also encourages cyber criminals to come up with similar threats and extort money from the larger audience.

Who's Behind WannaCry & Why Would Someone Do This?

While it's still not known who is behind WannaCry, such large-scale cyber attacks are often propagated by nation states, but this ongoing attack does not bear any link to foreign governments.

"The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits," said Europol, Europe's police agency.

Why are they hijacking hundreds of thousands of computers around the globe? Simple — to extort money by blackmailing infected users.

By looking at the infection rate, it seems like the criminals responsible for this absurd attack would have made lots and lots of dollars so far, but surprisingly they have made relatively little in the way of profits, according to @actual_ransom, a Twitter account that’s tweeting details of every single transaction.

At the time of writing, the WannaCry attackers have received 171 payments totaling 27.96968763 BTC ($47,510.71 USD).

Who is responsible for WannaCry Attack?

— Is it Microsoft who created an operating system with so many vulnerabilities?

— Or is it the NSA, the intelligence agency of the United States, who found this critical SMB vulnerability and indirectly, facilitates WannaCry like attacks by not disclosing it to Microsoft?

— Or is it the Shadow Brokers, the hacking group, who managed to hack the NSA servers, but instead of reporting it to Microsoft, they decided to dump hacking tools and zero-day exploits in public?

— Or is it the Windows users themselves, who did not install the patches on their systems or are still using an unsupported version of Windows?

I do not know who can be blamed for this attack, but according to me, all of them shares equal responsibility.

Microsoft Blames NSA/CIA for WannaCry Cyber Attack

Microsoft has hit out at the US government for facilitating cyber attacks, like WannaCry, by not disclosing the software vulnerabilities to the respective vendors and holding them for their benefits, like global cyber espionage.

In a blog post on Sunday, Microsoft President Brad Smith condemned the US intelligence agencies’ unethical practices, saying that the "widespread damage" caused by WannaCry happened due to the NSA, CIA and other intelligence agencies for holding zero-days and allowing them to be stolen by hackers.

"This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world," Smith said.

This statement also publicly confirms that the hacking tools and exploits leaked by the Shadow Brokers belong to Equation Group, an elite group of hackers from NSA.

"Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage," Smith wrote.

You Should Thank These Experts

When the outbreak of WannaCry ransomware started on Friday night, It had already infected at least 30,000 computers worldwide, and at that moment nobody had an idea what’s happening and how the ransomware can spread itself like a worm so quickly.

Since then, in last three days, some cybersecurity experts and companies are continuously working hard, day and night, to analyze malware samples to find every possible way to stop this massive attack.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

If you are following the news, by now you might be aware that a security researcher has activated a "Kill Switch" which apparently stopped the WannaCry ransomware from spreading further.

But it's not true, neither the threat is over yet.

However, the kill switch has just slowed down the infection rate.

Updated: Multiple security researchers have claimed that there are more samples of WannaCry out there, with different 'kill-switch' domains and without any kill-switch function, continuing to infect unpatched computers worldwide (find more details below).

So far, over 237,000 computers across 99 countries around the world have been infected, and the infection is still rising even hours after the kill switch was triggered by the 22-years-old British security researcher behind the twitter handle 'MalwareTech.'

Once infected, WannaCry also scans for other vulnerable computers connected to the same network, as well scans random hosts on the wider Internet, to spread quickly.

The SMB exploit, currently being used by WannaCry, has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by a hacking group calling itself "The Shadow Brokers" over a month ago.

"If NSA had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened," NSA whistleblower Edward Snowden says.

Kill-Switch for WannaCry? No, It's not over yet!

In our previous twoarticles, we have put together more information about this massive ransomware campaign, explaining how MalwareTech accidentally halted the global spread of WannaCry by registering a domain name hidden in the malware.

hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

The above-mentioned domain is responsible for keeping WannaCry propagating and spreading like a worm, as I previously explained that if the connection to this domain fails, the SMB worm proceeds to infect the system.

Fortunately, MalwareTech registered this domain in question and created a sinkhole – tactic researchers use to redirect traffic from the infected machines to a self-controlled system. (read his latest blog post for more details)

Updated: Matthieu Suiche, a security researcher, has confirmed that he has found a new WannaCry variant with a different domain for kill-switch function, which he registered to redirect it to a sinkhole in an effort to slows down the infections.

hxxp://ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com/

The newly discovered WannaCry variant works exactly like the previous variant that wreaked havoc across the world Friday night.

But, if you are thinking that activating the kill switch has completely stopped the infection, then you are mistaken.

Since the kill-switch feature was in the SMB worm, not in the ransomware module itself., "WannaCrypt ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant," MalwareTech told The Hacker News.

You should know that the kill-switch would not prevent your unpatched PC from getting infected, in the following scenarios:

If you receive WannaCry via an email, a malicious torrent, or other vectors (instead of SMB protocol).

If by chance your ISP or antivirus or firewall blocks access to the sinkhole domain.

If the targeted system requires a proxy to access the Internet, which is a common practice in the majority of corporate networks.

If someone makes the sinkhole domain inaccessible for all, such as by using a large-scale DDoS attack.

MalwareTech also confirmed THN that some "Mirai botnet skids tried to DDoS the [sinkhole] server for lulz," in order to make it unavailable for WannaCry SMB exploit, which triggers infection if the connection fails. But "it failed hardcore," at least for now.

WannaCry 2.0, Ransomware With *NO* Kill-Switch Is On Hunt!

CIRCL c/o securitymadein.lu

Initially, this part of story was based on research of a security researcher, who earlier claimed to have the samples of new WannaCry ransomware that comes with no kill-switch function. But for some reason, he backed off. So, we have removed his references from this story for now.

However, shortly after that, we were confirmed by Costin Raiu, the director of global research and analysis team at Kaspersky Labs, that his team had seen more WannaCry samples on Friday that did not have the kill switch.

"I can confirm we've had versions without the kill switch domain connect since yesterday," told The Hacker News.

Updated: WannaCry 2.0 is Someone Else's Work

Raiu from Kaspersky shared some samples, his team discovered, with Suiche, who analysed them and just confirmed that there is a WannaCrypt variant without kill switch, and equipped with SMB exploit that would help it to spread rapidly without disruption.

What's even worse is that the new WannaCry variant without a kill-switch believed to be created by someone else, and not the hackers behind the initial WannaCry ransomware.

"The patched version matt described does attempt to spread. It's a full set which was modified by someone with a hex editor to disable the kill switch," Raiu told me.

Updated: However, Suiche also confirmed that the modified variant with no kill switch is corrupted, but this doesn't mean that other hackers and criminals would not come up with a working one.

"Given the high profile of the original attack, it's going to be no surprise at all to see copycat attacks from others, and perhaps other attempts to infect even more computers from the original WannaCry gang. The message is simple: Patch your computers, harden your defences, run a decent anti-virus, and - for goodness sake - ensure that you have secure backups." Cyber security expert Graham Cluley told The Hacker News.

Expect a new wave of ransomware attack, by initial attackers and new ones, which would be difficult to stop, until and unless all vulnerable systems get patched.

"The next attacks are inevitable, you can simply patch the existing samples with a hex editor and it'll continue to spread," Matthew Hickey, a security expert and co-founder of Hacker House told me.

"We will see a number of variants of this attack over the coming weeks and months so it's important to patch hosts. The worm can be modified to spread other payloads not just WCry and we may see other malware campaigns piggybacking off this samples success."

Even after WannaCry attacks made headlines all over the Internet and Media, there are still hundreds of thousands of unpatched systems out there that are open to the Internet and vulnerable to hacking.

"The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host," Microsoft says.

Believe me, the new strain of WannaCry 2.0 malware would not take enough time to take over another hundred of thousand vulnerable systems.

Video Demo of WannaCry Ransomware Infection

Hickey has also provided us two video demonstrations, showing packet traces that confirm the use of Windows SMB vulnerability (MS17-010).

And Second one…

Since WannaCry is a single executable file, it can also be spread through other regular exploit vectors, such as spear phishing, drive-by-download attack, and malicious torrent files download, warned Hickey.

Get Prepared: Upgrade, Patch OS & Disable SMBv1

MalwareTech also warned of the future threat, saying "It's very important [for] everyone [to] understand that all they [the attackers] need to do is change some code and start again. Patch your systems now!"

"Informed NCSC, FBI, etc. I've done as much as I can do currently, it's up to everyone to patch," he added.

As we notified today, Microsoft took an unusual step to protect its customers with an unsupported version of Windows — including Windows XP, Vista, Windows 8, Server 2003 and 2008 — by releasing security patches that fix SMB flaw currently being exploited by the WannaCry ransomware.

Even after this, I believe, many individuals remain unaware of the new patches and many organizations, as well as embedded machines like ATM and digital billboard displays, running on older or unpatched versions of Windows, who are considering to upgrade their operating system, would take time as well as it’s going to cost them money for getting new licenses.

So, users and organizations are strongly advised to install available Windows patches as soon as possible, and also consider disabling SMBv1 (follow these steps), to prevent similar future cyber attacks.

For god sake: Apply Patches. Microsoft has been very generous to you.

Almost all antivirus vendors have already been added signatures to protect against this latest threat. Make sure you are using a good antivirus, and keep it always up-to-date.

Moreover, you can also follow some basic security practices I have listed to protect yourself from such malware threats.

Update: Speaking to Britain's ITV, Europol chief Rob Wainwright said the whole world is facing an "escalating threat," warning people that the numbers are going up and that they should ensure the security of their systems is up to date.

"We are running around 200 global operations against cyber crime each year, but we've never seen anything like this," Wainwright said, as quoted by BBC.

"The latest count is over 200,000 victims in at least 150 countries. Many of those victims will be businesses, including large corporations. The global reach is unprecedented."

Above map is showing the WannaCry ransomware infection in just 24 hours.

This story is still updating, stay tuned to our Twitter page for more up-to-date information.

In the wake of the largest ransomware attack in the history that had already infected over 114,000 Windows systems worldwide since last 24 hours, Microsoft just took an unusual step to protect its customers with out-of-date computers.

Microsoft has just released an emergency security patch update for all its unsupported version of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions.

So, if your organization, for some reason, is still running on Windows XP or Vista, you are strongly advised to download and APPLY PATCH NOW!

WannaCrypt, or also known as WannaCry, is a new ransomware that wreaked havoc across the world last night, which spreads like a worm by leveraging a Windows SMB vulnerability (MS17-010) that has been previously fixed by Microsoft in March.

A large number of successful infections of the WannaCry ransomware at an astonishing pace concludes that either significant number of users have not yet installed the security patch released in March (MS17-010) or they are still running an unsupported version of Windows for which Microsoft is no longer releasing any security update.

"The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack," Microsoft says.

Once infected, WannaCry locks files on the computers and requires victims to pay $300 in Bitcoins to get back the control of their systems, along with a threat to double the price to $600.

But there's no guarantee of getting your files back even after paying the ransom.

How is WannaCry Spreading?

Such ransomware infection typically leverages social engineering or spam emails as a primary attack vector, tricking users into downloading and executing a malicious attachment.

WannaCry is also leveraging one such social engineering trick, as FoxIT researchers uncovered one variant of the ransomware that is initially distributed via an email containing a link or a PDF file with payload, which if clicked, installs WannaCry on the targeted system.

Once executed, the self-spreading WannaCry ransomware does not infect the targeted computers immediately, as malware reverse engineers found that the dropper first tries to connect the following domain, which was initially unregistered:

hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

If the connection to the above-mentioned unregistered domain fails (which is obvious), the dropper proceeds to infect the system with the ransomware that would start encrypting files.

But if the connection is successful, the dropper does not infect the system with the WannaCry ransomware module.

A security researcher, tweeting as MalwareTech, did the same and registered the domain mentioned above, accidentally triggering a "kill switch" that can prevent the spread of the WannaCry ransomware, at least for now.

Malware Tech registered this domain by spending just £10, which makes the connection logic successful.

"In other words, blocking the domain with firewall either at ISP or enterprise network level will cause the ransomware to continue spreading and encrypting files," Microsoft warned.

If infected, the malware scans the entire internal network and spread like a worm into all unpatched Windows computers with the help of SMB vulnerability.

The SMB vulnerability has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by a hacking group calling itself "The Shadow Brokers" over a month ago.

Demo of WannaCry Ransomware Infection

Meanwhile, Matthew Hickey, a security expert and co-founder of Hacker House, has provided The Hacker News two video demonstrations, showing packet traces that confirm the use of Windows SMB vulnerability (MS17-010).

And Second one...

Hickey also warned: Since, the WannaCry is a single executable file, so it can also be spread through other regular exploit vectors, such as spear phishing, drive-by-download attack, and malicious torrent files download.

So Far, Over 114,000 Infections Detected in 99 Countries

WannaCry Ransomware attack has become the largest ransomware infection in history within just a few hours.

A total of 16 U.K. organizations has been affected by the ongoing attack, including the National Health Service (NHS), which was forced to reject patients, cancel operations, and reschedule appointments due to malware infection.

WannaCry also targeted Spanish telecom giant Telefónica infecting by some of its computers on an internal network, but did not affect clients or services.

Other victims of the attack include Portugal Telecom and Russia’s MegaFon.

Delivery company FedEx was also a victim.

Users from Japan, Turkey, and the Philippines were also affected.

7 Easy Steps to Protect Yourself

Currently, there is no WannaCry decryption tool or any other solution available, so users are strongly advised to follow prevention measures in order to protect themselves.

Keep your system Up-to-date: First of all, if you are using supported, but older versions of Windows operating system, keep your system up to date, or simply upgrade your system to Windows 10.

Using Unsupported Windows OS? If you are using unsupported versions of Windows, including Windows XP, Vista, Server 2003 or 2008, apply the emergency patch released by Microsoft today.

Enable Firewall: Enable firewall, and if it is already there, modify your firewall configurations to block access to SMB ports over the network or the Internet. The protocol operates on TCP ports 137, 139, and 445, and over UDP ports 137 and 138.

Backup Regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.

Beware of Phishing: Always be suspicious of uninvited documents sent an email and never click on links inside those documents unless verifying the source.

Earlier today, a massive ransomware campaign hit computer systems of hundreds of private companies and public organizations across the globe – which is believed to be the most massive ransomware delivery campaign to date.

The Ransomware in question has been identified as a variant of ransomware known as WannaCry (also known as 'Wana Decrypt0r,' 'WannaCryptor' or 'WCRY').

Like other nasty ransomware variants, WannaCry also blocks access to a computer or its files and demands money to unlock it.

Once infected with the WannaCry ransomware, victims are asked to pay up to $300 in order to remove the infection from their PCs; otherwise, their PCs render unusable, and their files remain locked.

In separate news, researchers have also discovered a massive malicious email campaign that's spreading the Jaff ransomware at the rate of 5 million emails per hour and hitting computers across the globe.

Ransomware Using NSA's Exploit to Spread Rapidly

What's interesting about this ransomware is that WannaCry attackers are leveraging a Windows exploit harvested from the NSA called EternalBlue, which was dumped by the Shadow Brokers hacking group over a month ago.

Microsoft released a patch for the vulnerability in March (MS17-010), but many users and organizations who did not patch their systems are open to attacks.

The exploit has the capability to penetrate into machines running unpatched version of Windows XP through 2008 R2 by exploiting flaws in Microsoft Windows SMB Server. This is why WannaCry campaign is spreading at an astonishing pace.

Once a single computer in your organization is hit by the WannaCry ransomware, the worm looks for other vulnerable computers and infects them as well.

"The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host" Microsoft says.

Infections from All Around the World

In just a few hours, the ransomware targeted over 45,000 computers in 74 countries, including United States, Russia, Germany, Turkey, Italy, Philippines and Vietnam, and that the number was still growing, according to Kaspersky Labs.

According to a report, the ransomware attack has shut down work at 16 hospitals across the UK after doctors got blocked from accessing patient files. Another report says, 85% of computers at the Spanish telecom firm, Telefonica, has get infected with this malware.

Another independent security researcher, MalwareTech, reported that a large number of U.S. organizations (at least 1,600) have been hit by WannaCry, compared to 11,200 in Russia and 6,500 in China.

Screenshots of the WannaCry ransomware with different languages, including English, Spanish, Italian, were also shared online by various users and experts on Twitter.

Bitcoin wallets seemingly associated with WannaCry were reportedly started filling up with cash.

The Spanish computer emergency response organization (CCN-CERT) has even issued an alert that warns users of the "massive attack of ransomware" from WannaCry, saying (translated version):

"The ransomware, a version of WannaCry, infects the machine by encrypting all its files and, using a remote command execution vulnerability through SMB, is distributed to other Windows machines on the same network."

"Power firm Iberdrola and utility provider Gas Natural were also reported to have suffered from the outbreak.," according to BBC.

How to Protect Yourself from WannaCry

First of all, if you haven't patched your Windows machines and servers against EternalBlue exploit (MS17-010), do it right now.

To safeguard against such ransomware infection, you should always be suspicious of uninvited documents sent an email and should never click on links inside those documents unless verifying the source.

To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.

Moreover, make sure that you run an active anti-virus security suite of tools on your system, and most importantly, always browse the Internet safely.